257986
Posts: 6
Joined: Wed Sep 26, 2018 3:02 pm

Pi VPN Walkthru for PIA Private Internet Access

Thu Sep 27, 2018 11:53 pm

So a while ago a setup a Pi 3B that automatically goes into a VPN on boot, can communicate back and forth across the local network, and has a killswitch if the VPN goes down or the service is disconnected. I figure that I spent some time on it and I would share.

This is was setup with 2018-06-27-raspbian-stretch. This can be setup with lite, but due to the nature of this, it's best setup with stretch due to the easability of using a https://dnsleaktest.com

Let's start off with the basics. Get it updated.

Code: Select all

sudo apt-get update -y
sudo apt-get upgrade -y

From there you'll want to go into config. You can use the one built into the interface or raspi-config if at the cli. You want to set a good password and enable SSH and/or VNC for network access at the minimum. Setting the local settings, like timezone and keyboard layouts are good to do here as well.

Code: Select all

sudo raspi-config

Best to check the public IP right off the bat so that we have the current IP.

Code: Select all

curl icanhazip.com

This configuration is going to be setting a static IP address, so it is probably a good idea to jot down your local IP address as well as the interface that it is conencted to. In this example I am using 192.168.0.35 connected onto eth0

Code: Select all

ifconfig

Make a copy of your current network configuration

Code: Select all

sudo cp /etc/network/interfaces /etc/network/interfaces.bak

Change your network configuration file

Code: Select all

sudo nano /etc/network/interfaces

Depending on your network configuration this is going to change. Add this to the end of the file. The gateway address is usually the address of your router and the network address (or -add-net, in the example), usually is the same address as your router but the last octet is a 0.

Code: Select all

auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
	address 192.168.0.35
	netmask 255.255.255.0
	gateway 192.168.0.35
	dns-nameservers 1.1.1.1 1.0.0.1
up route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 metric 300

Reboot the Pi to verify that all the settings are looking good and you can still go online.

Code: Select all

sudo reboot now

If using lite ping a website, like http://www.google.com and press Ctrl+C to stop the pinging.

Code: Select all

ping google.com

Install OpenVPN.

Code: Select all

sudo apt-get install openvpn -y

Get the VPN configuration files for the VPN. I use PIA

Code: Select all

sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip

Unzip the configuration files and move a few of them with the OenVPN files

Code: Select all

sudo unzip openvpn.zip -d openvpn
sudo cp openvpn/ca.rsa.2048.crt openvpn/crl.rsa.2048.pem /etc/openvpn/

Each of the configuration files goes to a particular region/area. For this example, France is being used. Change the filename accordingly.

Code: Select all

sudo cp openvpn/France.ovpn /etc/openvpn/ex.conf

Create a login file. There's multiple ways to do this. USERNAME and PASSWORD are your login credentials for the VPN.

Code: Select all

sudo su
touch /etc/openvpn/login
echo "USERNAME" >> /etc/openvpn/login
echo "PASSWORD" >> /etc/openvpn/login
exit

Edit the configuration file

Code: Select all

sudo nano /etc/openvpn/ex.conf

CHANGE

Code: Select all

auth-user-pass
ca ca.rsa.2048.crt	
crl-verif crl.rsa.2048.pem

TO

Code: Select all

auth-user-pass /etc/openvpn/login
crl-verif /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt

Test the VPN. At this point note that you may loose connection to the Pi if connected thru VNC/SSH if there is anything mistyped.

Code: Select all

sudo openvpn --config /etc/openvpn/ex.conf

You can check your IP again to verify that you have a different IP address or go to https://www.dnsleaktest.com and do the standard test.

Code: Select all

curl icanhazip.com

Enable the VPN to enable itself at boot

Code: Select all

sudo systemctl enable openvpn@ex

Reboot the Pi and verify that the VPN is operational by doing another test

Code: Select all

sudo reboot now

Add iptable rules. If connecting into the Pi thru a network connection, paste the entire list and don't manually type, connection will be lost before finishing. PIA uses port 1198 for establishing the connection and 53 for locating the PIA DNS server. If directing to an IP address directly, the lines that reference port 53 can be omitted as 53 will not have to be open. Other VPNs may require different ports.

Code: Select all

# Allow loopback device (internal communication)
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

#Allow all local traffic.
sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT

# Allow VPN establishment
# Only 2 ports open, 1 for DNS and 1 for VPN
# If establishing thru an IP and not a name, the ones with port 53 can be removed
# Port 1198 may be different depending on the VPN
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 1198 -j ACCEPT
sudo iptables -A INPUT -p udp --sport 1198 -j ACCEPT

#Accept all TUN connections (tun = VPN tunnel)
sudo iptables -A OUTPUT -o tun+ -j ACCEPT
sudo iptables -A INPUT -i tun+ -j ACCEPT

#Set default policies to drop all communication unless specifically allowed
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP

Install the ability of the tables to save thru reboots. Click Y on bind to IPv4

Code: Select all

sudo apt-get install iptables-persistent -y
Ensure that the service runs and saves the settings

Code: Select all

sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
Reboot

Code: Select all

sudo reboot now

Verifiy that everything is operating as should be. On reboot of the Pi, websites should be available. You can check your IP or pull up https://dnsleaktest.com.


Disabling the VPN should render the internet useless.

Code: Select all

sudo service openvpn stop

Pull up the same website and verify that the internet does not work.


Turn OpenVPN back on and verify that all is operational again.

Code: Select all

sudo service openvpn start


Ocasionally, due to the order of all the services starting on Pi on boot, the VPN will not start properly and will require restarting after boot.
This issue can be remedied one of two ways.
  • In raspi-config there is a wait on network option. Enable that to see if it fixes the issue.
  • Restart the service automatically on reboot

Option 2 can be done with a task scheduler.

Code: Select all

sudo apt-get install gnome-schedule -y

When it's installed the application icon is added under System Tools, or just manually run it.

Code: Select all

gnome-schedule
Schedule this task on reboot.

Code: Select all

sudo service openvpn restart

Reboot and verify proper operation.

Code: Select all

sudo reboot now

Enjoy

Here's a few of my sources:

Let me know what you guys think please
Last edited by 257986 on Sat Sep 29, 2018 12:59 pm, edited 2 times in total.

epoch1970
Posts: 5598
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: Pi VPN Walkthru for Private Internet Access

Fri Sep 28, 2018 3:57 pm

257986 wrote:
Thu Sep 27, 2018 11:53 pm
Make a copy of your current network configuration

Code: Select all

sudo cp /etc/network/interfaces /etc/network/interfaces.bak
Change your network configuration file

Code: Select all

sudo nano /etc/network/interfaces
Are you sure this works with Raspbian Stretch as-is?
Why not use dhcpcd.conf for such as straightforward config?
Enable the VPN to enable itself at boot

Code: Select all

sudo systemctl enable openvpn@sw
Shouldn't that be "systemctl enable openvpn@ex"?
What about /etc/defaults/openvpn?
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

257986
Posts: 6
Joined: Wed Sep 26, 2018 3:02 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Fri Sep 28, 2018 9:19 pm

This does work as-is. It has been tested across several Pi's.
epoch1970 wrote:
Fri Sep 28, 2018 3:57 pm
Are you sure this works with Raspbian Stretch as-is?

True, that could be omitted. No sense in backing up a file that's basically empty.
epoch1970 wrote:
Fri Sep 28, 2018 3:57 pm
Make a copy of your current network configuration


Had issues with that type of a config leaking DNS after the tunnel was secure. Going to explore it again when have some time to do so
epoch1970 wrote:
Fri Sep 28, 2018 3:57 pm
Why not use dhcpcd.conf for such as straightforward config?

Thanks. That was a typo. Correcting it.
epoch1970 wrote:
Fri Sep 28, 2018 3:57 pm
Shouldn't that be "systemctl enable openvpn@ex"?

257986
Posts: 6
Joined: Wed Sep 26, 2018 3:02 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Sat Sep 29, 2018 11:20 pm

I looked more into DHCP. If you want to DHCP here's a few steps to accomplish this

Modify the interfaces file

Code: Select all

sudo nano /etc/network/interfaces
Following the example, the end of the file should look like this

Code: Select all

auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet static
up route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 metric 300

Install dnsmasq

Code: Select all

sudo apt-get install dnsmasq

Modify the dnsmasq.config file

Code: Select all

sudo nano /etc/dnsmasq.conf

Put this at the end

Code: Select all

no-resolv
server=1.1.1.1
server=1.0.0.1

Go ahead and reboot

Code: Select all

sudo reboot now

Test with https://www.dnsleaktest.com

If you want to check to make sure that the VPN killswitch is working, the best way is to just rename the config file and reboot.

Code: Select all

sudo mv /etc/openvpn/ex.conf /etc/openvpn/ex1.conf
sudo reboot now

Just don't forget to name it back

Code: Select all

sudo mv /etc/openvpn/ex1.conf /etc/openvpn/ex.conf
sudo reboot now

Works pretty good. Thanks for the suggestion

When I have some time I'm going to throw another post with the modifications for DHCP in it.

257986
Posts: 6
Joined: Wed Sep 26, 2018 3:02 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Sun Feb 03, 2019 11:51 pm

Created Pi VPN Setup for PIA with killswitch and DHCP.
Same basic setup but with DHCP

https://www.raspberrypi.org/forums/view ... 3&t=223733

rpifive
Posts: 1
Joined: Fri Feb 15, 2019 9:19 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Fri Feb 15, 2019 9:22 pm

You have a typo:
crl-verif /etc/openvpn/crl.rsa.2048.pem

should be
crl-verify /etc/openvpn/crl.rsa.2048.pem

Tonya2534
Posts: 1
Joined: Thu Feb 21, 2019 10:20 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Thu Feb 21, 2019 10:51 am

You may be using the wrong words here. See the VPN server is the host itself. If you want traffic to reach the Internet through your Pi, then you need the VPN Client vivavideo

Gudlad
Posts: 1
Joined: Mon Mar 04, 2019 1:47 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Mon Mar 04, 2019 2:22 pm

Hya - not sure if I"m missing something here but the second and third line of this code isn't in the file when I copy it from the zipped folder - only the auth-user-pass. The VPN seems to work without it but I get the feeling they should be in.

auth-user-pass
ca ca.rsa.2048.crt
crl-verif crl.rsa.2048.pem

TO
Code: Select all

auth-user-pass /etc/openvpn/login
crl-verif /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt048.crt

Any advice for a Pi newbie or thoughts on why this would be missing would be greatly appreciated...

Plex7
Posts: 2
Joined: Mon Nov 11, 2019 8:56 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Mon Nov 11, 2019 9:13 am

I have tried and researched extensively how to fix this DNS leak. About 4 servers in the standard test and about 5-6 in the extensive test all connected to my ISP. My only other alternative is to block those IP addresses. But how?

Also, the post before me is true. Tutorial is slightly outdated.

Please help!

Plex7
Posts: 2
Joined: Mon Nov 11, 2019 8:56 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Tue Nov 12, 2019 9:02 am

FIX DNS LEAK!

Open Terminal and edit the resolv.conf file by typing

nano /etc/resolv.conf

go ahead and delete all the other DNS servers there...
then add the server IP of the Private Internet Access DNS Servers

nameserver 209.222.18.222
nameserver 209.222.18.218

Save and exit the file and then reboot.

You will need to grant access to pi to edit the file. Prior to this, input this: sudo chown -R pi /etc/resolv.conf

Do the changes above and grant access back to root otherwise "sudo" won't work anymore with

pkexec chown root:root /etc/sudoers /etc/sudoers.d -R

Cob
Posts: 28
Joined: Tue Mar 05, 2013 2:03 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Tue Nov 12, 2019 5:10 pm

That change does not persist after the reboot.

will5023
Posts: 2
Joined: Thu Feb 06, 2020 9:26 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Thu Feb 06, 2020 9:40 pm

When I run this part:
Each of the configuration files goes to a particular region/area. For this example, France is being used. Change the filename accordingly.
Code: Select all

sudo cp openvpn/France.ovpn /etc/openvpn/ex.conf
I get the following
cp: target '/etc/openvpn/ex.conf' is not a directory
Can you advise? I'm pretty new to Raspberry Pi/Linux.

iknowreal
Posts: 1
Joined: Fri Mar 20, 2020 11:31 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Fri Mar 20, 2020 11:34 pm

A Few questions the first is how do I use a VPN location that has spaces for example New York?
Also I have the same exact problem the previous poster had.

"cp: target '/etc/openvpn/ex.conf' is not a directory"

Please advise.

ggervais5
Posts: 2
Joined: Sun Apr 12, 2020 5:18 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Sun Apr 12, 2020 5:33 pm

I followed these instructions for my Raspberry PI 4, which I typically run headless and connect to via VNC. To complete the iptables commands, I had to connect it to a monitor and keyboard/mouse - it kept killing my VNC connection. With a monitor and keyboard/mouse, I was able to complete the rest of the setup. However, I can no longer connect to the PI via VNC nor SSH. I tried adding ports 22 and 5900 as INPUT in iptables, but still no access. When directly connected to the PI, I am able to browse the web over VPN just fine.

What am I missing?

Prior to setting up for PIA, I had set up a static IP using dhcpcd.conf with these lines:

interface eth0
static ip_address=192.168.1.15/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1

So, I did not add the lines suggested in /etc/network/interfaces.

ggervais5
Posts: 2
Joined: Sun Apr 12, 2020 5:18 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Sun Apr 12, 2020 7:36 pm

I figured it out. The iptables settings were not being made persistent. It is all working now.

ramsdale
Posts: 1
Joined: Fri Apr 10, 2020 9:42 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Sat Apr 18, 2020 8:23 am

I have followed the guide and it works fine. I have one problem though. After a while I get disconnected from the VPN, does this happen to anybody else?

paqman
Posts: 27
Joined: Fri Sep 02, 2016 3:55 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Mon Apr 20, 2020 10:18 pm

So this works for me pretty flawlessly. dnsleaktest shows good, everything working. But I'm not sure how to add iptables rules back in to allow me to ssh in remotely? Also going to be running it headless and need to be able to ssh in. How do I allow port 22 in with iptables?

Edit: My bad, I didn't look at the rules closely when I pasted them in. My local network is 192.168.1.x. Now I just need to figure out how to delete all these rules lol.

bobmcguffin
Posts: 9
Joined: Thu Aug 20, 2020 3:33 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Thu Aug 20, 2020 3:44 am

I might try this tutorial out as a last resort, but I have a question that I think you guys might be able to answer.

I want to install the Private Internet Access App on my Raspberry Pi, directly from the website, they have a download link for Linux in 64bit. When I try to run it, the mousepad will appear with 2 error messages before I can install it:

The Document Was Not UTF-8 Valid
Invalid Byte Sequence In Conversion Input

Does anyone know if there's an easy fix to this? This came as a huge surprise to me because I have the Raspberry Pi 4 model B and I've done sudo apt-get update and sudo apt-get upgrade and I'm running Raspbian with Debian. As far as I know this model of Pi can run 64bit apps for sure. I meet all the requirements to install PIA on my Raspberry PI, I've successfully paid for it and the "torrent box" tutorial I'm watching from techwiztime specifically suggests to be using PIA as your VPN.

I'm so confused, if you guys would know something about this I could use the help.
Thanks

fixxer5150
Posts: 1
Joined: Thu Oct 29, 2020 3:59 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Thu Oct 29, 2020 4:29 am

UPDATE 28 OCT 2020:
257986 wrote:
Thu Sep 27, 2018 11:53 pm

Install OpenVPN.

Code: Select all

sudo apt-get install openvpn -y

Get the VPN configuration files for the VPN. I use PIA

Code: Select all

sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
This has changed since the PIA has went to "NextGen". US locations no longer work and this is going to be world-wide soon. Albania.ovpn (and probaby some others) still works on with the old config files but not for long.
The new wget is

Code: Select all

wget https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip
They are denying access to the US locations and mine failed a few days ago.
Found the announcment for "NextGen" in their announcements pages.

I had no need for most of the above process for checking the IP and setup and used much simpler checks before/after.

I also validated my deluge port was tunneling through the VPN appropriately with torrent tracking. Google one and find the one you like that does not want private info. You basically seed it in your torrent manager and check the IP it advertises and then delete it when you are done.

I also found it much easier to create a two-line document in the same directory called "pass.txt" with the only two entries:

(insert your username here)
(insert your password here)

and appending to the bottom of the .ovpn I use:

Code: Select all

auth-user-pass pass.txt
Then used Chron-e to setup the autostart. Chron has been much more reliable for me on debian using the Pi4B and latest Raspberry OS.

Hope this helps someone.

-fixxer5150

paqman
Posts: 27
Joined: Fri Sep 02, 2016 3:55 am

Re: Pi VPN Walkthru for PIA Private Internet Access

Thu Oct 29, 2020 4:16 pm

So I set this up last April, and it has been working flawlessly since then. Then all of the sudden this week I noticed it wasn't working. When I logged onto my pi to check it out, I noticed that I was not able to ping out to google or get my IP address. I shut down the iptables rules, and then I was able to ping out again. Openvpn seemed to be running, but I am still showing my local IP address. So I stopped openvpn, and started it on the console so I could read the output. About once a minute, it is giving me these errors:

Thu Oct 29 09:48:25 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct 29 09:48:25 2020 TLS Error: TLS handshake failed
Thu Oct 29 09:48:25 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Oct 29 09:48:55 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1198
Thu Oct 29 09:48:55 2020 UDP link local: (not bound)
Thu Oct 29 09:48:55 2020 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1198

The IP address it shows (that I x'd out), is not my local IP, so it looks like that is the IP address it is trying to assign me (from the PIA denver region). However when I curl icanhazip.com, it takes quite a while before coming back with my regular IP, not the PIA one.

Any idea why this is happening? I haven't made any changes to it, or to my network. This just started happening on it's own.

Zeno013
Posts: 1
Joined: Thu Oct 29, 2020 4:39 pm

Re: Pi VPN Walkthru for PIA Private Internet Access

Thu Oct 29, 2020 5:00 pm

have you tired openvpn-nextgen that fixxer5150 posted?

I had the same problem it died this morning after working for months. I upgraded to openvpn-nextgen then back up. I think this walk through needs to be updated now.

Return to “General discussion”